CVE-2023-42795 Overview
CVE-2023-42795 is an Incomplete Cleanup vulnerability [CWE-459] in Apache Tomcat that can leak information between HTTP requests. When recycling various internal objects, an error causes Tomcat to skip parts of the recycling process. As a result, data from the current request or response can leak into the next request or response processed by the same connection.
The flaw affects Apache Tomcat versions 11.0.0-M1 through 11.0.0-M11, 10.1.0-M1 through 10.1.13, 9.0.0-M1 through 9.0.80, and 8.5.0 through 8.5.93. Older end-of-life versions may also be affected.
Critical Impact
An unauthenticated remote attacker can trigger cross-request information disclosure, potentially exposing sensitive data such as session identifiers, headers, or response bodies between unrelated clients sharing the same Tomcat instance.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.0-M11
- Apache Tomcat 10.1.0-M1 through 10.1.13, 9.0.0-M1 through 9.0.80, and 8.5.0 through 8.5.93
- Debian Linux 10, 11, and 12 (Tomcat packages)
Discovery Timeline
- 2023-10-10 - CVE-2023-42795 published to NVD
- 2025-08-07 - Last updated in NVD database
Technical Details for CVE-2023-42795
Vulnerability Analysis
Apache Tomcat reuses internal objects such as Request, Response, and associated buffers across multiple HTTP transactions to reduce allocation overhead. Before reuse, these objects must be reset through a recycling process that clears all per-request state.
Under specific error conditions during recycling, Tomcat skips portions of this cleanup. Residual data from the previous request or response remains attached to the recycled object. The next request handled by that object can therefore observe attributes, headers, or body content that belonged to an earlier transaction.
The exposure is classified as a confidentiality issue. There is no integrity or availability impact, and exploitation requires no privileges or user interaction. Sensitive material that may leak includes authentication tokens, cookies, request bodies, and internal response data. The EPSS probability for exploitation is 0.692% (percentile 72.02).
Root Cause
The root cause is incomplete object cleanup [CWE-459] in Tomcat's connector and processor recycling logic. An error path causes the recycling sequence to exit early, leaving some internal fields populated with prior request data. Because Tomcat pools these objects for performance, the stale state persists into subsequent request handling.
Attack Vector
The attack vector is the network. An attacker sends crafted HTTP requests to a vulnerable Tomcat server and observes responses for fragments of data that originated from other clients. Exploitation does not require authentication or social engineering, but the leaked content depends on timing, the workload of the server, and which objects are recycled. Reliable extraction of specific secrets is opportunistic rather than deterministic.
No public proof-of-concept exploit code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details are documented in the Apache Mailing List Thread and the Openwall OSS-Security Update.
Detection Methods for CVE-2023-42795
Indicators of Compromise
- HTTP responses that contain headers, cookies, or body fragments inconsistent with the originating request, indicating cross-request data leakage.
- Anomalous Tomcat access log entries where response sizes or content types do not match the requested resource.
- Unexpected Set-Cookie or Authorization header values appearing in responses to unauthenticated endpoints.
Detection Strategies
- Inventory all Java application servers and verify Tomcat versions against the vulnerable ranges using build manifests, RELEASE-NOTES, or catalina.jar metadata.
- Deploy web application firewall (WAF) or reverse proxy rules that compare response content fingerprints to the requesting client identity and flag mismatches.
- Run authenticated configuration scans with vulnerability management tools that map installed Tomcat packages to CVE-2023-42795.
Monitoring Recommendations
- Forward Tomcat access and error logs to a centralized SIEM and alert on anomalous response patterns and recycled object errors.
- Monitor for stack traces in catalina.out referencing request or response recycling failures, which can correlate with the buggy code path.
- Track outbound responses for sensitive markers such as session IDs or internal tokens leaving unexpected endpoints.
How to Mitigate CVE-2023-42795
Immediate Actions Required
- Upgrade Apache Tomcat to a fixed release: 11.0.0-M12 or later, 10.1.14 or later, 9.0.81 or later, or 8.5.94 or later.
- Apply distribution-provided updates on Debian systems per Debian Security Advisory DSA-5521 and Debian Security Advisory DSA-5522.
- Restart Tomcat instances after patching to ensure recycled object pools are reinitialized with the fixed code.
- Review application logs for evidence of cross-request data leakage prior to remediation.
Patch Information
The Apache Tomcat project addressed the issue by correcting the recycling logic so that all internal request and response objects are fully reset, even on error paths. Refer to the Apache Mailing List Thread for the official announcement, the NetApp Security Advisory for affected vendor products, and the Debian LTS Announcement for Debian package updates.
Workarounds
- If immediate patching is not possible, disable HTTP connection keep-alive or set maxKeepAliveRequests="1" in the connector configuration to limit object reuse across requests.
- Place vulnerable Tomcat instances behind a reverse proxy that terminates and re-establishes upstream connections per request.
- Restrict network exposure of Tomcat to trusted clients until patching is complete.
# Configuration example: limit connector keep-alive to reduce object reuse
# Edit conf/server.xml on the Tomcat instance
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
maxKeepAliveRequests="1"
redirectPort="8443" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
